Apple introduced Gatekeeper in OS X Lion as a way to ensure users don't unintentionally run apps or installers from unknown sources. However, if someone is willing to personally (or professionally) identify themselves to Apple, then Gatekeeper will allow their signed apps to run on OS X, regardless of what those apps will do to your system. The reality is that this leaves too much room for malware and adware, including the example I found below.
For the purposes of Gatekeeper, Apple verifies the identity of the developer, but not their intent. It's up to you to ensure that the applications you install and run on your Mac come from the people you think they came from, and we'll show you how to do that.
A Nefarious Installer Bypasses Gatekeeper
As originally discussed in Mac Geek Gab 542, while clicking through to an article from (the reputable and source-curated site) news.google.com, a seemingly innocuous (but fake) Flash update message appeared.
The file I then downloaded was a disk image named, “adobe_flashplayer_e2c7b_Setup.dmg.” Double clicking on the .dmg revealed a very generic-looking "Installer" package. The attackers easily could have made it look better, even cloning Adobe's icons and styling. Still, this looks like a normal installer.
An Installer (Poorly) Masquerading as an Adobe Installer
Trying to run this installer by double clicking brought up a dialog that OS X presents for any app you’ve downloaded from the Internet. This is normal for applications, but not normal for Installer packages. That's because this attack is a full-fledged application masquerading as an installer by icon and name alone.
When encountering a new download, this is the first time you'll be presented with something that specifically identifies the file's source. Notice where the file was downloaded from: 24check.fixupdatesnow.net. This is not Adobe.
Still, it looks normal enough, and continuing to run it brought up something that looked like OS X's normal Installer, except it wasn't. There are some very specific things unique to OS X's Installer that can help you identify what's going on.
True Installers Can Show Their Source
A Legit Apple Installer Certificate
In the image above, we have a legitimate Apple installer. There's a lock icon in the upper right-hand corner, indicating it is signed by a certificate. That's important because it means Apple has confirmed the identity of the creator. Clicking on the lock displays the certificate of the creator of the Installer. This is something you should do with every installer that provides this option. It's a very simple way to confirm that you're installing an app from the expected developer.
In the case of our nefarious Flash installer, the attackers built an application that looks like Apple's installer, but in the end is just another, normal application. Since the developers chose to identify themselves with Apple and get a certificate, Gatekeeper did nothing to stop us from running it.
And that's the problem. Gatekeeper is doing the job Apple intended for it to do, but it still leaves Mac users open to maliciously crafted malware and adware, as it did with the fake Flash installer.
Next: Who Signed the App and What Can Apple Do?